Summary
The Threat Suppression Engine (TSE) is a line-speed hardware engine that contains all the functions needed for Intrusion Prevention, including IP de-fragmentation, TCP flow reassembly, statistical analysis, traffic shaping, flow blocking, flow state tracking and application-layer parsing of over 170 network protocols.
The TSE reconstructs and inspects flow payloads by parsing the traffic at the application layer. As each new packet of the traffic flow arrives, the engine re-evaluates the traffic for malicious content. The instant the engine detects malicious traffic, it blocks all current and all subsequent packets pertaining to the traffic flow. The blocking of the traffic and packets ensures that the attack never reaches its destination.
The combination of high-speed network processors and custom chips provide the basis for IPS technology. These highly specialized traffic classification engines enable the IPS to filter with extreme accuracy at gigabit speeds and microsecond latencies. Unlike software-based systems whose performance is affected by the number of filters installed, the highly-scalable capacity of the hardware engine allows thousands of filters to run simultaneously with no impact on performance or accuracy.
The TSE reconstructs and inspects flow payloads by parsing the traffic at the application layer. As each new packet of the traffic flow arrives, the engine re-evaluates the traffic for malicious content. The instant the engine detects malicious traffic, it blocks all current and all subsequent packets pertaining to the traffic flow. The blocking of the traffic and packets ensures that the attack never reaches its destination.
The combination of high-speed network processors and custom chips provide the basis for IPS technology. These highly specialized traffic classification engines enable the IPS to filter with extreme accuracy at gigabit speeds and microsecond latencies. Unlike software-based systems whose performance is affected by the number of filters installed, the highly-scalable capacity of the hardware engine allows thousands of filters to run simultaneously with no impact on performance or accuracy.
Details
| Parameter | Description |
| Connection Table Timeout (TCP) | Specifies the global timeout interval for TCP traffic on the connection table. For blocked streams in the connection table, this value determines the time interval that elapses before the blocked connection is cleared from the connection table. Before the timeout occurs, any incoming packets for that stream are blocked at the IPS device. After the connection is cleared (the timeout interval expires), the incoming connection is allowed until traffic matches another blocking filter. Blocked streams can also be cleared from the connection table manually from the Blocked Streams page (Events -> Managed Streams -> Blocked Streams). |
| Connection Table Timeout (non-TCP) | Specifies the global timeout interval for non-TCP traffic on the connection table. |
| Trust Table Timeout | Specifies the global timeout interval for the trust table. This value determines the time interval that elapses before the trusted connection is cleared from the trust table. |
| Quarantine Timeout | Specifies the global timeout for the quarantine table. For quarantined hosts in the quarantine table, this value determines the time interval that elapses before the quarantined host is cleared from the quarantine table. After the quarantined host is cleared (the timeout interval expires), quarantined addresses may be automatically released, if that option is selected. |
| Asymmetric Network | Specifies whether the IPS device is configured for an asymmetric network. When asymmetric configuration is enabled, the IPS device will not see both sides of a TCP connection. This option is enabled by default. |
| Logging Mode | Configure settings to prevent traffic-related event notifications (such as those generated when a triggered filter is configured with a Block+Notify or Permit+Notify action set) from causing network congestion. Logging Mode: determines whether logging is enabled/disabled when the network becomes congested. Always indicates that the system continues logging even if traffic is dropped under high load. Disable if congested indicates the logging will be disabled when the system reaches the specified congestion percentage. Congestion Percentage: can be configured if the disable logging option is selected. This value specifies the amount of network congestion that can occur before the system disables logging functions. Disable Time: specifies the amount of time (default is10 minutes) that logging is disabled before the service is restarted. When the downtime expires, the system re-enables logging and displays the number of missed notifications. |
| Congestion Notification | Specifies whether alert messages will be sent when the overall device congestion exceeds the specified threshold. |
| HTTP Response Processing | Specifies inspection of encoded HTTP responses.
|
| DNS reputation NXDOMAIN response | Allows the IPS to respond with NXDOMAIN (name does not exist) to clients that make DNS requests for hosts that are blocked. |
| IDS Mode | When IDS mode is enabled, it adjusts the device configuration so that the device operates in a manner suitable for Intrusion Detection System (IDS) scenarios and filter configurations.
|
How to: Configure the Threat Suppression Engine (TSE)
On the IPS Preferences page, you can configure global settings for the TSE in the Configure Threat Suppression Engine section.
- From the LSM menu, click IPS -> Preferences.
- On the IPS Preferences page in the Configure Threat Suppression Engine (TSE) section, change the configuration parameters as required.
- Click Apply.
Reference: Local Security Manager User's Guide
